cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
958
Views
0
Helpful
7
Replies

EIGRP over VPN

george.tsanava
Beginner
Beginner

hello 

 

router MAIN

router eigrp 900

 network 1.1.1.0 0.0.0.255

no auto-summary

 

router DR

router eigrp 900

 network 2.2.2.0 0.0.0.255

no auto-summary

 

router BRANCH-1

router eigrp 900

 network 1.1.1.68 0.0.0.3

 network 2.2.2.68 0.0.0.3

 network 4.4.4.4 0.0.0.3

no auto-summary

 

well there ar main and dr routers and several branches, each branch is advertising some /30 subnet like this 4.4.4.4/30.

problem is that branch-1 knows 4.4.4.32/30 which is advertised for example by branch-9 and branch-9 knows branch-1s 4.4.4.4/30.

also each branch knows 1.1.1.x/30 and 2.2.2.x/30.

which way is best to prevent this?

 

many thanks :)

7 Replies 7

Spooster IT Services
Rising star
Rising star

Hello  george.tsanava,

 

One of the options is Route-Filtering at HUB/Main router is the way to avoid these transit subnets to reach to branches. Secondly, you can use summary route advertisement. 

Spooster IT Services Team

Richard Burts
Hall of Fame Community Legend Hall of Fame Community Legend
Hall of Fame Community Legend

The title of the original post mentioned VPN but the description of the environment told us nothing about VPN. I don't know if there is anything about the VPN that would impact this discussion (such as is it DMVPN which facilitates full mesh connectivity). But knowing nothing about that aspect of the environment I would suggest that in a hub and spoke environment running EIGRP it is frequently set up so that each branch advertises its subnets to the hub and the hub advertises just a default route to the hub. Pending anything we might learn about the VPN environment I would suggest this hub and spoke approach.

 

HTH

 

Rick

HTH

Rick

Rick

yes it is hub and spoke, from both hubs (MAIN & DR) i have vti tunnels to each branch,

goal is to prevent branches from knowing each others subnets.

BRANCH-1

tunnel1

description %to MAIN%

ip address 1.1.1.69 255.255.255.252

tunnel2

description %to DR%

ip address 2.2.2.69 255.255.255.252

loopback3

description %LAN%

ip address 4.4.4.5 255.255.255.252

router eigrp 900

 network 1.1.1.68 0.0.0.3

 network 2.2.2.68 0.0.0.3

 network 4.4.4.4 0.0.0.3

no auto-summary

 

BRANCH-n

tunnel1

description %to MAIN%

ip address 1.1.1.73 255.255.255.252

tunnel2

description %to DR%

ip address 2.2.2.73 255.255.255.252

loopback3

description %LAN%

ip address 4.4.4.9 255.255.255.252

router eigrp 900

 network 1.1.1.72 0.0.0.3

 network 2.2.2.72 0.0.0.3

 network 4.4.4.8 0.0.0.3

no auto-summary

 

router MAIN

router eigrp 900

 network 1.1.1.0 0.0.0.255

no auto-summary

 

router DR

router eigrp 900

 network 2.2.2.0 0.0.0.255

no auto-summary

 

for now BRANCH-1 knows BRANCH-n subnets via eigrp(via MAIN & DR)

 network 1.1.1.72 0.0.0.3

 network 2.2.2.72 0.0.0.3

 network 4.4.4.8 0.0.0.3

 

&

 

BRANCH-n knows BRANCH-1 subnets via eigrp(via MAIN & DR): 

network 1.1.1.68 0.0.0.3

 network 2.2.2.68 0.0.0.3

 network 4.4.4.4 0.0.0.3

 

BRANCH-1#trace 4.4.4.9 

 1 1.1.1.70 16 msec 4 msec 4 msec    (MAIN routers tunnel ip to BRANCH-1)
2 1.1.1.73 8 msec * 4 msec 

3 4.4.4.9

 

i want that BRANCH-1 didnot knew BRANCH-n subnets (1.1.1.72, 2.2.2.72, 4.4.4.8) and  BRANCH-n didnot knew BRANCH-1 subnets.

 

which is best way to accomplish this task?

 

thanks

 

 

 

 

Richard Burts
Hall of Fame Community Legend Hall of Fame Community Legend
Hall of Fame Community Legend

Thank you for clarifying that it is dual hub and spoke with vti tunnels. There are several ways that you can achieve that branch routers do not see routes for subnets at other branches. You could use a distribute list for each hub vti tunnel which would permit advertisement of 0.0.0.0 and deny everything else. But the simple solution is on each hub vti tunnel use EIGRP summary address to advertise 0.0.0.0. That way each branch receives only the default route and not subnets from other branches.

 

HTH

 

Rick

HTH

Rick

Hi George, from the Hub you can apply a distribute-list based on a ACL that permits the traffic you want to be know by the spokes

let's say 

int T1

description to Spoke A

 

int T2

description  to Spoke B

 

access-list 1 permit 1.1.1.0

access-list 2 permit 2.2.2.0

 

router eigrp 1

distribute-list 1 in Tunnel1

distribute-list 2 in Tunnel2

 

Regards

HTH

Sorry my question was not fully clear spokes need to know only /30 routes 

Richard Burts
Hall of Fame Community Legend Hall of Fame Community Legend
Hall of Fame Community Legend

I appreciate your attempt to clarify what you want to accomplish. But saying that you want spokes to know only /30 routes is not helpful since every route in your explanation was /30. The spoke routes to the hub (using networks 1.1.1 and 2.2.2) are /30 as well as the other route (which logically would be its lan) is /30.

 

I believe that I understand what you want to accomplish which is that each spoke does not receive advertisement of routes from any other spoke. If that is your requirement then my suggestions are still valid. You could achieve this by configuring distribute lists and applying to each tunnel on the hub routers. But the easier and better solution will be to use eigrp summary address on the hub tunnels to advertise only a default route to each spoke.

 

HTH

 

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers